Cant believe I haven’t heard of Wickr before (launched June 2012?), seems to be popular and reinforces the appetite out there for SAFE messaging
Peer-to-Peer encryption, does not rely on centralized private KDC for decryption
Wickr App
- ID and device info are cryptographically hashed with multiple rounds
of salted cryptographic hashing using SHA256- Data at rest and in transit is encrypted with AES256
- No password or Password hashes leave device
- Messages and media are forensically wiped after they expire
Wickr Secure Exchange Server
- In contact with encrypted messages/media only
- Never in contact with passwords of private encryption keys
- Deletes messages on delivery
- Interacts with only hashed ID and device info
Automatically Find Friends Without Ratting Them Out
However…
But Wickr also has a “proprietary algorithm,” secret to everybody except the app developers and some trusted reviewers. Wickr doesn’t have open source code.
In other words, only the company knows precisely how its privacy-enhancing system works. And that’s exactly where Wickr’s privacy and security utopia could fail and crumble, according to cryptography and security experts.
“We have a kind of a maxim in our field, in cryptography, which is that the systems should be open,” says Matthew Green, a cryptography researcher and professor at Johns Hopkins University Information Security Institute.
Green echoes what Bruce Schneier, a cryptography and security guru, has been saying for a long time. “The idea is simple,” wrote Schneier in a 1999 newsletter. “Cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it.” “Cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it.”
LAW ENFORCEMENT GUIDELINES
Wickr is committed to operating in an environment of complete transparency and to cooperating with law enforcement while respecting each individual’s right to privacy.
Requests for Wickr Account Information
Requests for user account information from U.S. law enforcement should be directed to Wickr in San Francisco, California. Wickr responds to valid legal process issued in compliance with U.S. law.
Private Information Requires a Subpoena or Court Order
Non-public information about Wickr users’ accounts will not be released to law enforcement except in response to appropriate legal process such as a subpoena, court order, or other valid legal process.
Contents of Communications Are Not Available
Requests for the contents of communications require a valid search warrant from an agency with proper jurisdiction over Wickr. However, our response to such a request will reflect that either the content is not available or that, in very limited instances where a message has not yet been retrieved by the recipient, the content will be limited to scrambled data which is indecipherable.
Will Wickr Notify Users of Requests for Account Information?
Yes. Wickr’s policy is to notify users of requests for their account information prior to disclosure including providing user with a copy of the request, unless we are prohibited by law from doing so. Since we cannot envision a scenario in which the provision to law enforcement of the date an account was created, the type of device, and the date of last use, will assist in an emergency situation, we maintain that user notification will occur unless legally bound not to notify users of law enforcement requests for their user information.
What Information Can Wickr Supply You With?
Wickr has the following information about User Accounts:
• Date an account was created
• Type of device on which such account was installed
• Date of last use
What Must Be Included in Account Information Requests?
When requesting user account information, you must include ALL of the following:
◦ User name (Wickr ID) for account being investigated
◦ A valid official email address
◦ Law enforcement letterhead
◦ Description of account information being sought
Service of Process
We do not accept legal process via email. Receipt of correspondence and communication with law enforcement by email do not waive any objections to the lack of jurisdiction or proper service inherent in attempted service of process via email.
Production of Records and Authentication
We provide responsive records in electronic format and believe that any records produced in
response to a valid law enforcement request are self-authenticating. If you require a declaration, please explicitly note that in your request. At this time we do not anticipate seeking reimbursement for the costs of producing records because we believe those costs will be de minimus based on the limited information we can supply.
Mutual Legal Assistance Treaties
Wickr’s policy is to promptly respond to requests that are issued via U.S. court upon proper
service of process either by way of a mutual legal assistance treaty or letter rogatory.